On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1] Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices. On the same day the settlement became public, Yahoo! moved to dismiss the claims being pursued by an opt-out plaintiff. Among other things, Yahoo! asserted in its motion that the complaint failed to adequately allege that it had misrepresented the strength of its cybersecurity protections, arguing that statements like “we take the securities of our users very seriously,” and “Yahoo is committed to gaining your trust,” were both not actionable misstatements and not rendered false by the data breaches.[2]

Notably, the proposed settlement marks the first significant recovery in a suit brought by shareholders under Section 10(b) of the Securities Exchange Act of 1934 based on a company’s alleged failure to adequately disclose cybersecurity incidents and risks. With the growing focus on cybersecurity, such cases are becoming commonplace following data breaches or other significant cybersecurity incidents at public companies. Public entities should thus stay vigilant on cybersecurity disclosure issues, including by taking into account the SEC’s new cybersecurity guidance, as discussed in our recent alert memorandum.

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.